On the Dangers of SP 800-26

Posted March 11th, 2008 by

OK, let’s kick it old-sk00l-FISMA-stylie.  Back in the day, there was Special Publication 800-26.  It was part of the first set of guidance to come from NIST on information security (for those of you who can’t count, as of today we’re up to 800-115).  I guess you could say that the original 800-26 was the primordial beginnings of a catalog of controls combined with a self-assessment questionaire.

The cool thing about 800-26 that I liked was the fact that it’s a thinly-disguised version of CMMI:  5 levels of maturity, with level one being “do you have a policy that addresses this” and the plateau level being “have you integrated this control by feeding the results of testing back into all the other levels?”  Hey, sounds like fairly competent engineering and technical management practices (no, I’m not open to debate the merits and warts of CMMI today, tyvm) and is something familiar enough that we can instinctively get the idea of what we’re doing with it.

Now for the bad things:  some of the questions in 800-26 were um… I guess the phrase would be “irrelevant” or “deprecated due to time” or even “worn around the edges”.  The original 800-26 was good for a stop-gap measure, now it’s fallen into the class of “Cute, reminds me of the halcyon days of 2003 when we were so naive in our desire to rid the world of enencrypted telnet sessions”.

Our friends at NIST are going through a revision of 800-26 and have “pulled SP 800-26 off the market” for the time being.  Sometime in the future it will be a questionaire based on SP 800-53, the catalog of controls we all know and love.  The idea being that if you have a low-impact/criticality system, you can do a self-assessment using the new and improved 800-26 and it satisfies quite a few of your security controls requirements.  And hey, we all know that assessment of any IT system begins with self-assessment as some sort of gap assessment:  where are you now, where do you need to be, and how do you bridge the gap between these 2 points.

Of course, the concept of relying on self-assessment for security makes me cringe deep down inside, but keep in mind that this is only for low-criticality systems which means that they do not include PII, financial data, or classified information.  However, if you’re a FISMA-hater, you can always point to 800-26 and say “see, they think that by filling out a questionnaire, they’re making their IT more secure”.

Only here’s the problem:  I still see people on teh Intarweb still referring people to go “Read the Fine Manual” that is 800-26.  I know of at least one agency that requires a completed self-assessment to be submitted as part of their C&A package, and usually as a simple checkbox:  Have you filled one out or not?

The CISO deep down inside of me still wants to know what the value added is.  Sounds to me like we have the typical “Security Wonks Gone Wild” in that we’re so obsessed with filling out checklists and forms that we lost track of what our original intent was.

Now if you know me, you’ll remember that I usually don’t complain about something without having an alternative.  In this case, my alternative is this:  Don’t use 800-26 or recommend it to others and please do point out to people who require you to use 800-26 that its use has been rescinded by NIST and that your organization’s policy should have changed to keep up.

This is the official story from NIST, keep the link handy for the future:

Status of NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems

NIST SP 800-26 is superseded by NIST SP 800-53 and the draft NIST SP 800 53A.

Agencies are required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publication 800-53A for the assessment of security control effectiveness.

Similar Posts:

Posted in FISMA, What Doesn't Work | 5 Comments »

5 Responses

  1.  planetheidi Says:

    Sigh. I remember auditing a financial firm in the Big Appole using SP 800-26. Ah, how sweet it was to have a nice long empirical list of controls to dipstick them on. And speaking of dipsticks, they came through with level one for nearly all of them.

    Of course, now there’s ISO 27001/2.

  2.  Worker Says:

    A co-worker is looking for an old copy of the NIST SP 800-26 (for research reasons). Would you happen to have an old copy lurking in your personal archives?

  3.  rybolov Says:

    You know, I looked through all my stuff and I didn’t have it anywhere. Your best bet is to throw an email to NIST at sec-cert@nist.gov.

  4.  Archived for the World to See: SP 800-26 | The Guerilla CISO Says:

    […] government employee. Thanks for visiting and happy hacking!CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been […]

  5.  rybolov Says:

    Against all other advice, if you read this and still are looking for 800-26, you can get it here:

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: